当前页面: 开发资料首页 → Netbeans 专题 → Securing a Web Application in NetBeans IDE 5.5
摘要: This document takes you through the basics of adding security to a web application that is deployed to either the Tomcat server or the Sun Java System Application Server
This document shows you how to configure security authentication using a basic login window and also using a login form in a web page. This document takes you through the steps for creating users on the Tomcat server and Sun Java System Application Server. After creating the users, you then create the security roles by setting the security properties in the deployment descriptor. This document also shows how you can use JDBC authentication to secure your application when deploying to the Sun Java System Application Server.
Before you begin, you need to install the following software on your computer:
<NETBEANS_HOME> - NetBeans IDE installation directory
<APPSERVER_HOME> - Sun Java System Application Server installation directory
<TOMCAT_HOME> - Tomcat installation directory
<PROJECT_HOME> - directory containing your project
In this document you will go through the following steps:
Install and start NetBeans IDE 5.5. You can do this tutorial using the bundled Tomcat server or using the Sun Java System Application Server 9.0, Platform Edition.
If you are using the Sun Java System Application Server, make sure the server is installed and a server instance is registered with the IDE. You can use the Server Manager to register the server instance. (Choose Tools > Server Manager > Add Server. Select "Sun Java System Application Server" > and click Next. Click Browse and locate the installation directory of the application server. Click Finish.)
In this excercise you first create the web application project and the directory structure. You then create some simple html files in each of the secure directories. The web application uses a basic login authentication for accessing the secure directories. If you want to use a login form for authentication, you can add a jsp page with the form.
<html> <head> <title>User secure area</title> </head> <body> <h1>User Secure Area</h1> </body> </html>
<html> <head> <title>Admin secure area</title> </head> <body> <h1>Admin secure area</h1> </body> </html>
You now create the JSP index page containing links to the secure areas. When the user clicks on the link they are prompted for the username and password. If you use a basic login, they are prompted by the default browser login window. If you use a login form page, the user enters the username and password in a form.
<p>Request a secure Admin page <a href="secureAdmin/pageA.html">here!</a></p> <p>Request a secure User page <a href="secureUser/pageU.html" >here!</a></p>
If you want to use a login form instead of the basic login, you can create a jsp page containing the form. You then specify the login and error pages when configuring the login method.
<%@taglib uri="http://java.sun.com/jstl/core" prefix="c" %> <form action="j_security_check" method="POST"> Username:<input type="text" name="j_username"><br> Password:<input type="password" name="j_password"> <input type="submit" value="Login"> </form>
<html> <head> <title>Login Test: Error logging in</title> </head> <body> <h1>Error Logging In</h1> <br/> </body> </html>
To be able to use user/password authentication (basic login or form-based login) security in web applications, the users and their appropriate roles have to be defined for the target server. To log in to a server, the user account has to exist on that server.
How you define the users and roles varies according to the target server you specified. In this tutorial the users admin and tomcat are used to test the security setup. You need to confirm that these users exist on the respective servers, and that the appropriate roles are assigned to the users.
The Sun Java System Application Server has one pre-defined user named admin. For this scenario you first need to use the Admin Console of the Sun Java System Application Server to create a new user named user. You then need to map the user to a role by modifying sun-web.xml. sun-web.xml is located in the Configuration Files directory of your project.
The Tomcat server bundled with the IDE already has some pre-defined users and roles.
The basic users and roles for the Tomcat server are defined in tomcat-users.xml. You can find tomcat-users.xml in your <USER_DIR>\apache-tomcat-5.5.17_base\conf directory. Your tomcat-users.xml file should like similar to this:
<tomcat-users> <role rolename="tomcat"/> <role rolename="role1"/> <role rolename="manager"/> <role rolename="admin"/> <user username="ide" password="(generated password)" roles="manager,admin"/> <user username="tomcat" password="tomcat" roles="tomcat"/> <user username="role1" password="tomcat" roles="role1"/> <user username="both" password="tomcat" roles="tomcat,role1"/> </tomcat-users>
Note: The password for the user ide is generated when Tomcat is installed. You can change the password for the user ide, or copy the password in tomcat-users.xml.
When configuring the login method for your application, you can use the login window provided by your browser for basic login authentication. Alternatively, you can create a web page with a login form. Both types of login configuration are based on user/password authentication.
You configure the login method for the application by configuring web.xml. The web.xml file can be found in the Configuration Files directory of the Projects window.
When you use the basic login configuration, the login window is provided by the browser. A valid username and password is needed to access the secure content.
The following steps show how to configure a basic login for the Sun Java System Application Server.
Note: You can also set the timeout for the session in web.xml. To set the timeout, click the General tab of the Visual Editor and specify how long you want the session to last. The default is 30 minutes.
Using a form for login enables you to customize the content of the login and error pages. The steps for configuring authentication using a form are the same as for the basic login configuration, except that you specify the login and error pages you created.
The following steps show how to configure a login form for the Sun Java System Application Server.
If you are deploying your application to the Sun Java System Application Server, you need to configure the security deployment descriptors in sun-web.xml to map the security roles defined in web.xml.
You can also view and edit sun-web.xml in the XML editor by clicking Edit As XML in the top right corner of the Sun Web Application visual editor. If you open sun-web.xml in the XML editor, you can see that sun-web.xml has the following security role mapping information:
<security-role-mapping> <role-name>Admin</role-name> <principal-name>admin</principal-name> </security-role-mapping> <security-role-mapping> <role-name>User</role-name> <principal-name>user</principal-name> </security-role-mapping>
In the Projects window, right-click the project node and choose Run. After building and deploying the application to the server, the start page opens in your web browser. Choose the secure area which you want to access by clicking either admin or user.
After supplying the user and password, there are three possible results: